topic Re: Legacy DHCP Relay services vs R80.x - gw not configured as relay in Firewall and Security Management

Legacy DHCP Relay services vs R80.x - gw not configured as relay

Firewallteam_DE — Fri, 30 Oct 2020 13:17:53 GMT

Hello Mates

We are preparing Migration of MDS to R80 and following is the example pre-check warning:

Two possible options to solve the problem: 1). Remove legacy DHCP Relay services and add new DHCP Relay services. See sk104114 for instructions. This is the recommended action if managing only R77.20 gateways and above. 2). Keep legacy DHCP Relay services and make changes to the Gateways and the Security Management Servers. See sk98839 for instructions. Do this if managing any gateways which are older than R77.20. Legacy DHCP Relay service(s): bootp, dhcp-relay, dhcp-rep-localmodule, dhcp-req-localmodule Some of the legacy DHCP Relay service(s) are members of the following rulebase(s): Policy skibidabdab_Prod, rules: XY. For more information, see sk104114 or sk98839.

We have plenty of gateways managed by CMAs which policies have Legacy DHCP relay services objects in its rules. Current GW batch has all R70.20 and above.

The article mentions that in case the gateways are not configured as DHCP agents (none are, as I checked on GWs: RTGRTG0019 BOOTP: Feature is not enabled ), then we should follow all sections except "DHCP Relay Configuration":

“If Gaia OS will not be configured as a DHCP Relay Agent and will only be used to secure DHCP relay traffic between a separate DHCP Relay Agent and a DHCP Server, follow all instructions except for the "DHCP Relay Configuration" section, and modify the security policy with the correct IPs for the DHCP Relay and DHCP server.”

According to initial error we should only change the Services in policies to newer ones (those in right replace with those in left - attached):

BUT SK article discusses all other configurations in its sections (excluding DHCP Relay Configuration part) like Hotfix, fwx_dhcp_relay_nat parameter, dhcp_objects create, table.def modifications, global properties and various precautions in rules related to DHCP traffic handling…. Many times referring to gateway as relay agent which is not our case.

How should we interpret that information? Is it enough to just replace the objects in the policies or do we have to go through all other mentioned configurations? Gateways are only securing the DHCP traffic, they are not acting as relays.

I searched forum for posts related to this and although there are plenty, following one seems as relevant to the case:

https://community.checkpoint.com/t5/Policy-Management/Need-to-change-bootp-config-to-dhcp-request-when-upgradig/m-p/53664

Can somebody confirm this is safe to assume?

Re: Legacy DHCP Relay services vs R80.x - gw not configured as relay

PhoneBoy — Sun, 01 Nov 2020 06:41:57 GMT

eIt should be enough to replace the relevant objects in the policy.

Re: Legacy DHCP Relay services vs R80.x - gw not configured as relay

Firewallteam_DE — Mon, 02 Nov 2020 14:10:22 GMT

Thank you PhoneBoy

It is a step forward to know that.

Re: Legacy DHCP Relay services vs R80.x - gw not configured as relay

Firewallteam_DE — Mon, 02 Nov 2020 14:19:53 GMT

@Wolfgang Hello, I can see you replied quite confidently on following thread - https://community.checkpoint.com/t5/Policy-Management/Need-to-change-bootp-config-to-dhcp-request-when-upgradig/m-p/53664

using the new DHCP services is not mandatory.

Using the bootp like you does, there is no need to change to the new dhcp services.

Configuration of IPv4 BOOTP/DHCP Relay using new services describes really good the new DHCp services and there need or not.

For youre use case, snip from the document:

"For backwards compatibility, the legacy DHCP (BOOTP/DHCP) services can still be used with newer Security Gateways and Security Management Servers."

The new DHCP services allows an improved configuration of the rules for DHCP relay.

Wolfgang

Do you know anyone who can confirm this? There are many policies with Legacy DHCP in our environment and would be easier to not replace them if only some improved handling is benefit currently.